diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7 new file mode 100644 index 0000000..5ec4289 --- /dev/null +++ b/man7/kernel_lockdown.7 @@ -0,0 +1,107 @@ +.\" +.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA) +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" %%%LICENSE_END +.\" +.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual" +.SH NAME +Kernel Lockdown \- Kernel image access prevention feature +.SH DESCRIPTION +The Kernel Lockdown feature is designed to prevent both direct and indirect +access to a running kernel image, attempting to protect against unauthorised +modification of the kernel image and to prevent access to security and +cryptographic data located in kernel memory, whilst still permitting driver +modules to be loaded. +.P +Lockdown is typically enabled during boot and may be terminated, if configured, +by typing a special key combination on a directly attached physical keyboard. +.P +If a prohibited or restricted feature is accessed or used, the kernel will emit +a message that looks like: +.P +.RS + Lockdown: X: Y is restricted, see man kernel_lockdown.7 +.RE +.P +where X indicates the process name and Y indicates what is restricted. +.P +On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled +if the system boots in EFI Secure Boot mode. +.P +If the kernel is appropriately configured, lockdown may be lifted by typing the +appropriate sequence on a directly attached physical keyboard. For x86 +machines, this is +.IR SysRq+x . +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH COVERAGE +When lockdown is in effect, a number of features are disabled or have their use +restricted. This includes special device files and kernel services that allow +direct access of the kernel image: +.P +.RS +/dev/mem +.br +/dev/kmem +.br +/dev/kcore +.br +/dev/ioports +.br +BPF +.br +kprobes +.RE +.P +and the ability to directly configure and control devices, so as to prevent the +use of a device to access or modify a kernel image: +.P +.RS +The use of module parameters that directly specify hardware parameters to +drivers through the kernel command line or when loading a module. +.P +The use of direct PCI BAR access. +.P +The use of the ioperm and iopl instructions on x86. +.P +The use of the KD*IO console ioctls. +.P +The use of the TIOCSSERIAL serial ioctl. +.P +The alteration of MSR registers on x86. +.P +The replacement of the PCMCIA CIS. +.P +The overriding of ACPI tables. +.P +The use of ACPI error injection. +.P +The specification of the ACPI RDSP address. +.P +The use of ACPI custom methods. +.RE +.P +Certain facilities are restricted: +.P +.RS +Only validly signed modules may be loaded (waived if the module file being +loaded is vouched for by IMA appraisal). +.P +Only validly signed binaries may be kexec'd (waived if the binary image file to +be executed is vouched for by IMA appraisal). +.P +Unencrypted hibernation/suspend to swap are disallowed as the kernel image is +saved to a medium that can then be accessed. +.P +Use of debugfs is not permitted as this allows a whole range of actions +including direct configuration of, access to and driving of hardware. +.P +IMA requires the addition of the "secure_boot" rules to the policy, whether or +not they are specified on the command line, for both the builtin and custom +policies in secure boot lockdown mode. +.RE